If a session has same source and same destination but triggers our child signature, 35364, 60 times in 60 seconds, we call it is a brute force attack.

The child signature, 35364, is looking for an SMB Negotiate (0x72) request. Multiple requests in a short time could be an attack for CVE-2010-0231.

40036

MYSQL

MySQL COM_CHANGE_USER Brute-force Attempt

This event indicates that someone is doing a brute force attack and tries to authenticate as another user via COM_CHANGE_USER command to the MySQL server.If a session has the same source and same destination but triggers our child signature, 36157,7 times in 60 seconds, we call it is a brute force attempt.

40037

SCADA

SCADA Password Crack Brute Force Attack

If a session has same source and same destination but triggers our child signature, 31670, 10 times in 60 seconds, we call it is a brute force attack.

If a session has same source and same destination and triggers our child signature, 36518, 38 times in 60 seconds, we deem it a brute force attack.The child signature, 36518, is looking for a DGA NXDOMAIN response from a DNS Server.

40044

HTTP

WordPress Login Brute Force Attempt

This event indicates that someone is using a brute force attack to gain access to WordPress wp-login.php. The brute force signature looks for(by default) 10 or more triggers of child signature TID: 37480 in 60 seconds. The child signature is looking for access attempts to wp-login.php.

If a session has the same source and same destination, but triggers our child signature,39290,100 times in 30 seconds, we call it is a brute force attack.

40078

SMB

Windows SMB SMBLoris Denial-of-Service Vulnerability

If a session has same source and same destination and triggers our child signature, 37713, 100 times in 10 seconds, we call it is a brute force attack.The child signature is checking crafted SMB request.

In the event that the Threat ID you are looking for is not in this list, you can always view the value inside of the Vulnerability protection profile by clicking inside of the WebGUI on Objects > Security Profiles > Vulnerability Protection. Inside there you need to click on a profile name. In this example, we will click on default.

Vulnerability Protection screen

Once inside there, click on Exceptions tab, then select "Show all signatures" in the lower left corner of the window. Then search on the Threat ID that you would like to see details about. Once you see the Threat ID you were looking for, then click on the small Pencil (edit) to the left of the Threat Name.

Note: If the threat does not show up, please ensure that you have updated your Dynamic Updates inside of Device > Dynamic Updates.

Vulnerability profile - Exceptions screen

Once this screen is up, you will see the attributes and the time peroid that this Vulnerability will be triggered with.

Threat Detail screen showing the trigger details.

SEE ALSO

For more information on any of these threats/vulnerabilities, please visit our Threat Vault: